generated from coulomb/repo-seed
45 lines
1.6 KiB
YAML
45 lines
1.6 KiB
YAML
# cert-manager issuers for net-kingdom SSO/MFA
|
|
#
|
|
# Two issuers are defined:
|
|
# 1. selfsigned-issuer — self-signed CA for internal/test use
|
|
# 2. letsencrypt-prod — ACME (Let's Encrypt) for public-facing ingresses
|
|
#
|
|
# Apply order:
|
|
# kubectl apply -f issuers.yaml
|
|
# kubectl apply -f test-certificate.yaml # verify selfsigned-issuer works
|
|
#
|
|
# Prerequisites: cert-manager must be installed and its CRDs registered.
|
|
# On K3s: cert-manager is NOT installed by default — install via Helm:
|
|
# helm repo add jetstack https://charts.jetstack.io
|
|
# helm install cert-manager jetstack/cert-manager \
|
|
# --namespace cert-manager --create-namespace \
|
|
# --set crds.enabled=true
|
|
|
|
# ── Self-signed ClusterIssuer (test / internal CA) ───────────────────────────
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: selfsigned-issuer
|
|
spec:
|
|
selfSigned: {}
|
|
---
|
|
# ── Let's Encrypt production ClusterIssuer ───────────────────────────────────
|
|
# Requires: public DNS pointing to the cluster, port 80 reachable by ACME.
|
|
# Traefik handles the HTTP-01 challenge automatically.
|
|
#
|
|
# Replace ACME_EMAIL with your address before applying.
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: letsencrypt-prod
|
|
spec:
|
|
acme:
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
email: bernd.worsch+netkingdom@gmail.com
|
|
privateKeySecretRef:
|
|
name: letsencrypt-prod-account-key
|
|
solvers:
|
|
- http01:
|
|
ingress:
|
|
ingressClassName: traefik
|